Hi,
On Tue, Jul 26, 2011 at 09:13:39AM +0200, Christian Seitz wrote:
> On Mon, 25 Jul 2011, Sander Steffann wrote:
>> >> 5) ?
> >
> > Adapt uRPF so that it does't filter ICMP error messages. Whether this is
> > useful depends on how much ICMP error messages with unreachable source
> > addresses we expect to see? When people/organizations start to use ULA
> > addresses it might be more than we see now.
>> do you really want to disable filtering all ICMP packets from non-routed
> addresses? I do not like to have an ICMP DoS from unroutable addresses in
> my network. ICMP is important for IPv6 communication to work, yes, but
> only from routable addresses.
Uh, I don't think that point is valid. Regarding DoS possibilities,
for ICMP *error* messages (which are not replied to) there's no difference
between "coming from routed space" and "coming from non-routed space".
If you're worried about DoS-by-ICMP, you need rate-limits. uRPF won't
help, as it's easy for a moderate-sized botnet to send you enough traffic
from legitimate sources without needing to spoof source addresses...
> ULA could be the next problem. Not only loose uRPF may be the problem in
> this case, but also infrastructure ACLs which deny ULA addresses from
> outside. RFC4193 4.3 says that packets from ULA addresses should be
> filtered at the border. If somebody sends ICMP "Packet too big" with an
> address from the ULA range as the source address it is expected that it
> will be dropped somewhere (at the border of the own network, at the border
> of the destination network or somewhere in a backbone between those two
> networks).
Now that's a different can of worms. If someone numbers their transit
network with ULAs and sends ICMP errors from ULA space, they deserve what
you can think up for them.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279

The RIPE NCC uses cookies. Some of these cookies may have been set already. More information about our cookies can be found in our privacypolicy. You can accept our cookies either by clicking here or by continuing to use the site.